/CHANGELOG.md |
---|
1,9 → 1,11 |
# ALCASAR CHANGELOG |
## 3.7.0 (SVN revision: 3180) |
## 3.7.0 (SVN revision: xxxx) |
* NEWS |
* Mageia9 (kernel 6.6.22) |
* CHANGES |
* ACC |
* use nmap's MAC prefix file instead of our |
* BUGS |
* SECURITY |
* WEB |
/alcasar.sh |
---|
909,8 → 909,6 |
[ -e $DIR_SAVE/security/acc_access.log ] || touch $DIR_SAVE/security/acc_access.log |
chown root:apache $DIR_SAVE/security/acc_access.log |
chmod 664 $DIR_SAVE/security/acc_access.log |
# Copy IEEE-MAC-manuf list (origin from sanitized nmac file : see linuxnet.ca) |
cp $DIR_CONF/nmap-mac-prefixes /usr/local/share/ |
} # End of ACC() |
############################################################# |
921,11 → 919,12 |
{ |
[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default |
$SED "s?^pool.*?pool fr.pool.ntp.org iburst?g" /etc/ntp.conf |
$SED '$ainterface ignore wildcard' /etc/ntp.conf |
$SED '$ainterface listen lo' /etc/ntp.conf |
$SED '$ainterface listen $INTIF' /etc/ntp.conf |
echo "interface ignore wildcard" >> /etc/ntp.conf |
echo "interface listen lo" >> /etc/ntp.conf |
echo "interface listen $INTIF" >> /etc/ntp.conf |
# Synchronize now |
ntpdate fr.pool.ntp.org & |
sleep 2 # wait for time server responce |
} # End of time_server() |
##################################################################### |
1270,7 → 1269,7 |
################################################################ |
## "e2guardian" ## |
## - Set the parameters of this HTML proxy (as controler) ## |
## - Set the parameters of this HTTP proxy (as controler) ## |
################################################################ |
e2guardian() |
{ |
1284,15 → 1283,18 |
[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default |
# French deny HTML page |
$SED "s?^language =.*?language = 'french'?g" $DIR_DG/e2guardian.conf |
# +++ listen & loop prevention on loopback |
$SED "s?^#checkip = 127.0.0.1.*?checkip = 127.0.0.1?g" $DIR_DG/e2guardian.conf |
# 2 filtergroups (8080 & 8090) |
$SED "s?^filtergroups =.*?filtergroups = 2?g" $DIR_DG/e2guardian.conf |
# Listen on 8080 (HTTP for BL users) only on LAN side |
$SED "s?^filterip =.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf |
$SED "s?^filterports =.*?filterports = 8080?g" $DIR_DG/e2guardian.conf |
# Listen on 8090 (HTTP for WL/AV users) only on LAN side |
$SED "/^filterip = $PRIVATE_IP/a filterip = $PRIVATE_IP" $DIR_DG/e2guardian.conf |
$SED "/^filterports = 8080/a filterports = 8090" $DIR_DG/e2guardian.conf |
# E2guardian doesn't listen transparently on 8443 (HTTPS) (only in future version) |
$SED "s?^#filtergroups =.*?filtergroups = 2?g" $DIR_DG/e2guardian.conf |
# Listen on LAN only |
$SED "s?^#filterip =.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf |
# Listen on 8080 (group1 : BL users on HTTP) |
$SED "s?^#filterports = 8080.*?filterports = 8080?g" $DIR_DG/e2guardian.conf |
# Listen on 8081 (group2 : previously AV users --> to be redefine) |
# $SED "/^filterip = $PRIVATE_IP/a filterip = $PRIVATE_IP" $DIR_DG/e2guardian.conf |
$SED "s?^#filterports = 8081.*?filterports = 8081?g" $DIR_DG/e2guardian.conf |
# for now we don't listen transparently on 8443 (HTTPS) (only in future version) |
$SED "s?^transparenthttpsport =.*?#transparenthttpsport = 8443?g" $DIR_DG/e2guardian.conf |
# Don't log |
$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf |
1301,15 → 1303,10 |
# Enable authport plugin |
$SED "s?^#authplugin = '/etc/e2guardian/authplugins/port.conf'?authplugin = '/etc/e2guardian/authplugins/port.conf'?g" $DIR_DG/e2guardian.conf |
$SED "s?^#mapauthtoports =.*?mapauthtoports = off?g" $DIR_DG/e2guardian.conf |
# Set Max RAM cache to 10Mb |
$SED "s?^maxcontentramcachescansize =.*?maxcontentramcachescansize = 10240?g" $DIR_DG/e2guardian.conf |
# Set Max file size cache to 20Mb |
$SED "s?^maxcontentfilecachescansize =.*?maxcontentfilecachescansize = 20480?g" $DIR_DG/e2guardian.conf |
# Adapt the first group conf file |
[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default |
$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf |
$SED "s/^groupname =.*/groupname = 'blacklisted users'/g" $DIR_DG/e2guardianf1.conf |
$SED "s/^#htmltemplate =.*/htmltemplate = 'alcasar-e2g.html'/g" $DIR_DG/e2guardianf1.conf |
# !!! Set Max RAM cache to 10Mb (for antimalware/EDR) |
#$SED "s?^maxcontentramcachescansize =.*?maxcontentramcachescansize = 10240?g" $DIR_DG/e2guardian.conf |
# !!! Set Max file size cache to 20Mb (for antimalware/EDR) |
#$SED "s?^maxcontentfilecachescansize =.*?maxcontentfilecachescansize = 20480?g" $DIR_DG/e2guardian.conf |
# copy & adapt HTML templates |
cp $DIR_CONF/alcasar-e2g-fr.html /usr/share/e2guardian/languages/french/alcasar-e2g.html |
1317,29 → 1314,26 |
$SED "s?\/\/[a-z.]*\/?\/\/$HOSTNAME.$DOMAIN\/?g" /usr/share/e2guardian/languages/french/alcasar-e2g.html |
$SED "s?\/\/[a-z.]*\/?\/\/$HOSTNAME.$DOMAIN\/?g" /usr/share/e2guardian/languages/ukenglish/alcasar-e2g.html |
###### ALCASAR special filtering #### |
###### ALCASAR filtering for group1 (blacklisted_users) #### |
# Adapt group1 conf file |
[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default |
$SED "s/^#reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf |
$SED "s/^#groupname =.*/groupname = 'blacklisted_users'/g" $DIR_DG/e2guardianf1.conf |
$SED "s/^#htmltemplate =.*/htmltemplate = 'alcasar-e2g.html'/g" $DIR_DG/e2guardianf1.conf |
$SED "s/^.Define LISTDIR.*/.Define LISTDIR <$DIR_DG/lists/group1/g" $DIR_DG/e2guardianf1.conf |
DIR_GROUP1="$DIR_DG/lists/group1" |
cp -r $DIR_DG/lists/example.group $DIR_GROUP1 |
chown -R e2guardian:root $DIR_GROUP1 |
# RAZ bannedphraselist |
cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default |
$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (comment what is not) |
$SED "s?^[^#]?#&?g" $DIR_GROUP1/bannedphraselist # (comment what is not) |
# Disable URL control with regex |
cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default |
$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (comment what is not) |
# Replace the default deny HTML page (only fr & uk) --> !!! search why our pages make the server crash... |
# [ -e /usr/share/e2guardian/languages/french/template.html.default ] || mv /usr/share/e2guardian/languages/french/template.html /usr/share/e2guardian/languages/french/template.html.default |
# cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html |
# [ -e /usr/share/e2guardian/languages/ukenglish/template.html.default ] || mv /usr/share/e2guardian/languages/ukenglish/template.html /usr/share/e2guardian/languages/ukenglish/template.html.default |
# cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/template.html |
$SED "s?^[^#]?#&?g" $DIR_GROUP1/bannedregexpurllist # (comment what is not) |
# Dont filtering files by extension or mime-type (empty list) |
[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default |
touch $DIR_DG/lists/bannedextensionlist |
[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default |
touch $DIR_DG/lists/bannedmimetypelist |
# Empty LAN IP list that won't be WEB filtered |
[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default |
touch $DIR_DG/lists/exceptioniplist |
> $DIR_GROUP1/bannedextensionlist |
> $DIR_GROUP1/bannedmimetypelist |
# Creation of ALCASAR banned site list |
[ -e $DIR_DG/lists/greysitelist.default ] || mv $DIR_DG/lists/greysitelist $DIR_DG/lists/greysitelist.default |
cat <<EOF > $DIR_DG/lists/greysitelist |
[ -e $DIR_GROUP1/greysitelist.default ] || mv $DIR_GROUP1/greysitelist $DIR_GROUP1/greysitelist.default |
cat <<EOF > $DIR_GROUP1/greysitelist |
# E2guardian filter config for ALCASAR |
# In ALCASAR E2guardian filters only URLs (domains are filtered with unbound) |
# block all SSL and CONNECT tunnels |
1350,35 → 1344,34 |
*ip |
EOF |
# Creation of ALCASAR empty banned URLs list (filled later with Toulouse BL --> see BL function) |
[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default |
cat <<EOF > $DIR_DG/lists/bannedurllist |
# E2guardian filter config for ALCASAR |
[ -e $DIR_GROUP1/bannedurllist.default ] || mv $DIR_GROUP1/bannedurllist $DIR_GROUP1/bannedurllist.default |
cat <<EOF > $DIR_GROUP1/bannedurllist |
# E2guardian URL filter config for ALCASAR |
EOF |
# Creation of files for rehabilited domains and urls |
[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default |
[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default |
touch $DIR_DG/lists/exceptionsitelist |
touch $DIR_DG/lists/exceptionurllist |
[ -e $DIR_GROUP1/exceptionsitelist.default ] || mv $DIR_GROUP1/exceptionsitelist $DIR_GROUP1/exceptionsitelist.default |
[ -e $DIR_GROUP1/exceptionurllist.default ] || mv $DIR_GROUP1/exceptionurllist $DIR_GROUP1/exceptionurllist.default |
touch $DIR_GROUP1/exceptionsitelist |
touch $DIR_GROUP1/exceptionurllist |
# Add Bing to the safesearch url regext list (parental control) |
[ -e $DIR_DG/lists/urlregexplist.default ] || cp $DIR_DG/lists/urlregexplist $DIR_DG/lists/urlregexplist.default |
cat <<EOF >> $DIR_DG/lists/urlregexplist |
[ -e $DIR_GROUP1/urlregexplist.default ] || cp $DIR_GROUP1/urlregexplist $DIR_GROUP1/urlregexplist.default |
cat <<EOF >> $DIR_GROUP1/urlregexplist |
# Bing - add 'adlt=strict' |
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict" |
EOF |
# 'Safesearch' regex actualisation |
$SED "s?images?search?g" $DIR_DG/lists/urlregexplist |
$SED "s?images?search?g" $DIR_GROUP1/urlregexplist |
# change the google safesearch ("safe=strict" instead of "safe=vss") |
$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist |
$SED "s?safe=vss?safe=strict?g" $DIR_GROUP1/urlregexplist |
# Create & adapt the second group conf file (av + av_wl) |
# Create & adapt group2 conf file (av + av_wl) |
cp $DIR_DG/e2guardianf1.conf.default $DIR_DG/e2guardianf2.conf |
$SED "s?^reportinglevel =.*?reportinglevel = 3?g" $DIR_DG/e2guardianf2.conf |
$SED "s?^groupname =.*?groupname = 'antimalware + whitelested users'?g" $DIR_DG/e2guardianf2.conf |
$SED "s?^urllist = 'name=banned,messageno=501,path=/etc/e2guardian/lists/bannedurllist'?urllist = 'name=banned,messageno=501,path=/etc/e2guardian/lists/bannedurllist.default'?g" $DIR_DG/e2guardianf2.conf # no banned urls |
$SED "s?^urllist = 'name=banned,messageno=501,path=__LISTEN__/bannedurllist'?urllist = 'name=banned,messageno=501,path=__LISTEN__/bannedurllist.default'?g" $DIR_DG/e2guardianf2.conf # no banned urls |
# create log folder |
mkdir -p /var/log/e2guardian |
mkdir -p /var/log/e2guardian |
chown -R e2guardian /etc/e2guardian /var/log/e2guardian |
} # End of e2guardian() |
/conf/nmap-mac-prefixes |
---|
File deleted |
/rpms/ipt-netflow-2.6.spec |
---|
1,8 → 1,9 |
%define kversion 5.15.126-server-1.mga8 |
%define kversion 6.6.22-server-1.mga9 |
%define debug_package %{nil} |
%define _build_id_links none |
Name: ipt-netflow |
Version: 2.6 |
Release: %mkrel 1 |
Release: %mkrel 0 |
Summary: Netflow iptables module for Linux kernel |
License: GPLv2 |
Packager: Richard REY (Rexy) |
19,7 → 20,7 |
%setup -q -n ipt-netflow-%{version} |
%build |
./configure --kdir=/usr/src/kernel-5.15.126-server-1.mga8 --disable-dkms --disable-snmp-agent |
./configure --kdir=/usr/src/kernel-%{kversion} --disable-dkms --disable-snmp-agent |
%make_build |
%install |
42,9 → 43,12 |
/lib64/iptables/libipt_NETFLOW.so |
/lib64/iptables/libip6t_NETFLOW.so |
/lib/modules/%kversion/extra/ipt_NETFLOW.ko |
/lib/modules/%kversion/updates/ipt_NETFLOW.ko |
%changelog |
* Fri Nov 14 2023 Richard REY <Rexy> |
* Sun Apr 21 2024 Richard REY <Rexy> |
- Version 2.6 for the kernel 6.6.22 (ALCASAR 3.7.0) |
* Tue Nov 14 2023 Richard REY <Rexy> |
- Version 2.6 for the kernel 5.15.126 (ALCASAR 3.6.1) |
* Fri Dec 30 2022 Richard REY <Rexy> |
- Version 2.6 for the kernel 5.15.86 (ALCASAR 3.6.0) |
/rpms/x86_64/ipt-netflow-2.6-1.mga8.x86_64.rpm |
---|
Cannot display: file marked as a binary type. |
svn:mime-type = application/octet-stream |
Property changes: |
Deleted: svn:mime-type |
-application/octet-stream |
\ No newline at end of property |
/rpms/x86_64/ipt-netflow-2.6-0.mga9.x86_64.rpm |
---|
Cannot display: file marked as a binary type. |
svn:mime-type = application/octet-stream |
Property changes: |
Added: svn:mime-type |
+application/octet-stream |
\ No newline at end of property |
/scripts/alcasar-bl.sh |
---|
18,6 → 18,7 |
FILE_ip_tmp="/tmp/filesipfilter.txt" |
DIR_DG="/etc/e2guardian/lists" |
DIR_DG_BL="$DIR_DG/blacklists" |
DIR_DG_GROUP1="$DIR_DG/group1" |
GLOBAL_USAGE="$DIR_CONF/alcasar-global-usage" # file containing the description of the lists |
BL_CATEGORIES="$DIR_CONF/alcasar-bl-categories" # list of names of the BL categories |
WL_CATEGORIES="$DIR_CONF/alcasar-wl-categories" # ' ' WL categories |
57,7 → 58,7 |
chown root:apache $DIR_CONF/update_cat.conf |
chmod 660 $DIR_CONF/update_cat.conf |
fi |
$SED "/\.Include/d" $DIR_DG/bannedsitelist $DIR_DG/bannedurllist # cleaning for DG |
$SED "/\.Include/d" $DIR_DG_GROUP1/bannedsitelist $DIR_DG_GROUP1/bannedurllist # cleaning for DG |
$SED "s?^[^#]?#&?g" $BL_CATEGORIES $WL_CATEGORIES # cleaning BL & WL categories file (comment all lines) |
# process the file $BL_CATEGORIES with the choice of categories |
67,8 → 68,8 |
$SED "1i\/etc\/e2guardian\/lists\/blacklists\/$ENABLE_CATEGORIE" $BL_CATEGORIES |
ln -sf $DIR_DNS_BL/$ENABLE_CATEGORIE.conf $DIR_DNS_BL_ENABLED/$ENABLE_CATEGORIE |
ln -sf $DIR_IP_BL/$ENABLE_CATEGORIE $DIR_IP_BL_ENABLED/$ENABLE_CATEGORIE |
# echo ".Include<$DIR_DG_BL/$ENABLE_CATEGORIE/domains>" >> $DIR_DG/bannedsitelist # Blacklisted domains are managed by unbound |
echo ".Include<$DIR_DG_BL/$ENABLE_CATEGORIE/urls>" >> $DIR_DG/bannedurllist |
# echo ".Include<$DIR_DG_BL/$ENABLE_CATEGORIE/domains>" >> $DIR_DG_GROUP1/bannedsitelist # Blacklisted domains are managed by unbound |
echo ".Include<$DIR_DG_BL/$ENABLE_CATEGORIE/urls>" >> $DIR_DG_GROUP1/bannedurllist |
done |
sort +0.0 -0.2 $BL_CATEGORIES -o $FILE_tmp |
mv $FILE_tmp $BL_CATEGORIES |
289,7 → 290,7 |
cat_choice |
# for unbound (rehabilitated domain names) |
rm -f $REHABILITATED_DNS_FILE |
if [ "$(wc -w $DIR_DG/exceptionsitelist | cut -d " " -f1)" != "0" ] |
if [ "$(wc -w $DIR_DG_GROUP1/exceptionsitelist | cut -d " " -f1)" != "0" ] |
then |
touch $REHABILITATED_DNS_FILE |
while read -r domain; do |
296,7 → 297,7 |
[ -z "$domain" ] && continue |
echo "local-zone: $domain typetransparent" >> $REHABILITATED_DNS_FILE |
echo "local-zone-tag: $domain \"\"" >> $REHABILITATED_DNS_FILE |
done < $DIR_DG/exceptionsitelist |
done < $DIR_DG_GROUP1/exceptionsitelist |
fi |
# adapt OSSI BL & WL custom files |
for dir in $DIR_DNS_BL_ENABLED $DIR_DNS_WL_ENABLED $DIR_IP_BL_ENABLED $DIR_IP_WL_ENABLED $DIR_DNS_BL $DIR_DNS_WL $DIR_IP_BL $DIR_IP_WL |
/scripts/alcasar-iptables.sh |
---|
53,7 → 53,7 |
SSH_LAN_ADMIN_FROM=${SSH_LAN_ADMIN_FROM:="0.0.0.0"} |
SSH_LAN_ADMIN_FROM=$([ "$SSH_LAN_ADMIN_FROM" == "0.0.0.0" ] && echo "$PRIVATE_NETWORK_MASK" || echo "$SSH_LAN_ADMIN_FROM" ) |
IPTABLES="/sbin/iptables" |
REHABILITED_IP="/etc/e2guardian/lists/exceptioniplist" |
REHABILITED_IP="/etc/e2guardian/lists/group1/exceptioniplist" |
ALLOWED_SITES="/usr/local/etc/alcasar-site-direct" # WEB Sites allowed for all (no av and no filtering for av_bl users) |
MULTIWAN=`grep ^MULTIWAN $CONF_FILE|cut -d"=" -f2` |
PROXY=`grep ^PROXY= $CONF_FILE|cut -d"=" -f2` |
231,9 → 231,9 |
# 8080 = ipset av_bl |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY " |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1 |
# 8090 = ipset av_wl + av |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8090 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY " |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8090 -j MARK --set-mark 2 |
# 8081 = ipset av_wl + av (to be redefine) |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8081 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY " |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8081 -j MARK --set-mark 2 |
# 8443 = tranparent HTTPS for ipsets av_bl + av_wl + av (future version) |
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8443 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY " |
#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8443 -j MARK --set-mark 6 |
281,9 → 281,9 |
# 8080 = ipset av_bl |
#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport http -j MARK --set-mark 200 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080 |
# 8090 = ipset av_wl & av |
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090 |
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090 |
# 8081 = ipset av_wl & av |
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8081 |
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8081 |
# Redirection des requêtes HTTPS sortantes des usagers av_bl + av_wl + av vers E2Guardian (in a future version - don't forget to set E2guardian as a tranparent HTTPS proxy) |
# Redirect outbound HTTPS requests of av_bl + av_wl + av users to E2Guardian |
346,13 → 346,13 |
# On interdit les connexions directes aux ports d'écoute d'E2Guardian. Les packets concernés ont été marqués et loggués dans la table mangle (PREROUTING) |
# Deny direct connections on E2Guardian listen ports. The concerned paquets have been marked and logged in mangle table (PREROUTING) |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset # av_bl |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8090 -m mark --mark 2 -j REJECT --reject-with tcp-reset # av_wl + av |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8081 -m mark --mark 2 -j REJECT --reject-with tcp-reset # av_wl + av |
#$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8443 -m mark --mark 6 -j REJECT --reject-with tcp-reset # av_bl + av_wl + av (future version) |
# On autorise les connexions HTTP/HTTPS légitimes vers E2Guardian |
# Allow HTTP connections to E2Guardian |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8080 -m conntrack --ctstate NEW --syn -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8090 -m conntrack --ctstate NEW --syn -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8081 -m conntrack --ctstate NEW --syn -j ACCEPT |
#$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8443 -m conntrack --ctstate NEW --syn -j ACCEPT # (future version) |
# On interdit les connexions directes aux ports d'écoupe DNS (UNBOUND). Les packets concernés ont été marqués dans la table mangle (PREROUTING) |
/scripts/alcasar-rpm.sh |
---|
20,6 → 20,8 |
# "socat" : avoid a warning when run the install script of letsencrypt ("acme.sh") |
# "sudo" : needed after a reinstallation (to be investigated) |
# "postfix" + "cyrus-sasl" + "lib64sasl2-plug-plain" : email registration method |
# "nmap" : "/usr/share/nmap/nmap-mac-prefixes" is used to display MAC manufacturers in ACC |
PACKAGES="vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm php-gd php-ldap php-mysqli php-mbstring php-sockets php-curl php-pdo_sqlite php-cli php-dom php-filter unbound e2guardian postfix mariadb ntpsec bind-utils openssh-server rng-utils rsync fail2ban gnupg2 ulogd ipset usb_modeswitch vnstat dos2unix p7zip msec kernel-userspace-headers kernel-firmware kernel-firmware-nonfree dhcp-server tcpdump fonts-dejavu-common fonts-ttf-dejavu lsscsi nvme-cli sudo socat postfix cyrus-sasl lib64sasl2-plug-plain iftop" |
rpm_repository_sync () |
/web/acc/admin/bl_filter.php |
---|
227,7 → 227,6 |
$bl_categories_enabled=$dir_etc."alcasar-bl-categories-enabled"; |
$conf_file=$dir_etc."alcasar.conf"; |
$domainfilter_file="/etc/unbound/conf.d/blacklist/domainfilter.conf"; |
$bannedsite_file=$dir_dg."bannedsitelist"; |
$dir_tmp="/tmp/blacklists"; |
$update_file_cat="/usr/local/etc/update_cat.conf"; |
$update_file_ossi_cat="/usr/local/etc/update_ossi_cat.conf"; |
291,11 → 290,11 |
fputs($fichier, form_filter($_POST['OSSI_bl'])); |
fclose($fichier); |
unset($_POST['OSSI_bl']); |
$fichier=fopen($dir_dg."exceptionsitelist","w+"); |
$fichier=fopen($dir_dg."group1/exceptionsitelist","w+"); |
fputs($fichier, form_filter($_POST['BL_rehabilited_domains'])); |
fclose($fichier); |
unset($_POST['BL_rehabilited_domains']); |
$fichier=fopen($dir_dg."exceptioniplist","w+"); |
$fichier=fopen($dir_dg."group1/exceptioniplist","w+"); |
fputs($fichier, form_filter($_POST['BL_rehabilited_ip'])); |
fclose($fichier); |
unset($_POST['BL_rehabilited_ip']); |
462,12 → 461,12 |
echo "<tr><td width=50% colspan=5 align=center>"; |
echo "<H3>$l_rehabilitated_dns</H3>$l_rehabilitated_dns_explain<BR>$l_one_dns<BR>"; |
echo "<textarea name='BL_rehabilited_domains' rows=3 cols=40>"; |
echo_file ($dir_dg."exceptionsitelist"); |
echo_file ($dir_dg."group1/exceptionsitelist"); |
echo "</textarea></td>"; |
echo "<td width=50% colspan=5 align=center>"; |
echo "<H3>$l_rehabilitated_ip</H3>$l_rehabilitated_ip_explain<BR>$l_one_ip<BR>"; |
echo "<textarea name='BL_rehabilited_ip' rows=3 cols=40>"; |
echo_file ($dir_dg."exceptioniplist"); |
echo_file ($dir_dg."group1/exceptioniplist"); |
echo "</textarea></td></tr>"; |
echo "<tr><td valign='middle' align='left' colspan=10>"; |
echo "<center><b>$l_add_to_bl</b></center></td></tr>"; |
/web/acc/admin/wl_filter.php |
---|
165,7 → 165,6 |
$wl_categories_enabled=$dir_etc."alcasar-wl-categories-enabled"; |
$conf_file=$dir_etc."alcasar.conf"; |
$domainfilter_file="/etc/unbound/conf.d/whitelist/domainfilter.conf"; |
$bannedsite_file=$dir_dg."bannedsitelist"; |
$dir_tmp="/tmp/blacklists"; |
$wl_safesearch="off"; |
/web/acc/manager/htdocs/activity.php |
---|
190,9 → 190,9 |
echo "<td>".$nb_ligne."</td>"; |
echo "<td>".$detail[1]."</td>"; // @IP |
echo "<td>$detail[0]"; // @MAC |
if(file_exists('/usr/local/share/nmap-mac-prefixes')){ // retrieve @MAC manufacturer |
if(file_exists('/usr/share/nmap/nmap-mac-prefixes')){ // retrieve @MAC manufacturer |
$oui_id = substr(str_replace("-","",$detail[0]),0,6); |
exec ("grep $oui_id /usr/local/share/nmap-mac-prefixes | cut -f2", $mac_manufacturer); |
exec ("grep $oui_id /usr/share/nmap/nmap-mac-prefixes | cut -f2", $mac_manufacturer); |
if(! empty($mac_manufacturer[0])) echo " <font size=\"1\">($mac_manufacturer[0])</font>"; |
else echo " <font size=\"1\">($l_unknown)</font>"; |
unset($mac_manufacturer); |
/web/acc/phpsysinfo/README.ALCASAR |
---|
2,5 → 2,6 |
- remove folders "tools", "sample", "plugins", "js/vendor" |
- in "/" : remove "composer.json", "phpsysinfo.xslt", "phpsysinfo3.xsd", "Dockerfile" |
: rename & adapt phpsysinfo.ini |
- in folder "templates" : remove all except "aqua", "aqua.css", "html" & "plugin". "Aqua.css" has been adapted |
- language/language.php : has been modified ($lang is set by the web browser conf) |
- in "templates" : remove all except "aqua", "aqua.css", "html" & "plugin". "Aqua.css" has been adapted |
- in "language" : language.php : has been modified ($lang is set by the web browser conf) |
- in "templates/html/index" (at the end) remove the link <a=href></a> on the phpsysinfo version. |
/web/acc/phpsysinfo/templates/html/index_dynamic.html |
---|
273,7 → 273,7 |
<div id="ups" class="halfsize" style="display:none;"> |
</div> |
<div id="footer"> |
<span class="lang_047">Generated by</span> <a href="http://phpsysinfo.sourceforge.net/" target="psihref">phpSysInfo - <span id="version"></span></a> |
<span class="lang_047">Generated by</span> phpSysInfo - <span id="version"></span> |
</div> |
</div> |
</body> |